Paulie’s Technical Memoirs

Yesterday I advised a customer who is a remote VPN/Terminal Services user to upgrade to Vista SP1 in order to make "Terminal Services Easy Print" available.

After the installation of SP1 the user was not able access the corporate VPN.

When trying to connect Vista hangs at "Verifying username and password" and eventually shows an 828 error.  On the server side event 20209 was logged.

There is a discussion on the ZA forums as to where the blame lies for the problem but there does not seem to be a clear answer.

For the sake of simplicity, I have found that:

On Vista SP1 machines with version 7.1.248 of ZoneAlarm free installed PPTP VPN connections to Windows 2003 Based RRAS servers do not work.  Also note that disabling ZoneAlarm does not help.  Uninstalling the product solved the issue immediately.

Always a pain when you try to solve one problem and create another in the process.  On a positive note Terminal Services easy print in Windows 2008 worked really well once we got the user reconnected.

I have had several incidents this week of customer systems being infected by executables attached to e-mails appearing to be from UPS.

Looking around the blogs, these e-mails seem to be having a higher than normal infection rate. It is time consuming to get rid of and makes the infected machines unusable and creates a huge number of network connections.

The exact subject line of the email’s that have been received is:

UPS Tracking Number 5440074870

Attached to the e-mail is a zip file containing an executable which when executed installs "XP Security Center".

Much more information about the detail of the actual email can be found on the Trend Malware Blog.  The worrying thing about this e-mail is that both of the machines that it infected have their e-mail filtered by very well known external 3rd party mail systems, then have virus scanning on their own Exchange servers and finally on their desktop machines.  At the moment this e-mail is still slipping through the net.

This virus does a LOT of clever things to prevent you getting rid of it.  I noticed that when trying to run Autoruns from Sysinternals that it just would not work.  Renaming the autoruns executable allows it to run.  It also stops you being able to install/download Windows Defender, disables system restore, removes the system tools program group amongst other things.

Not a very sophisticated solution but for now I have edited the Exchange IMF custom weighting file on customer systems to ensure that messages with "UPS Tracking" in the subject line are never delivered to the recipients and definitely classed as spam. 

I had written a separate post on how to remove the virus manually, but at the moment I am still monitoring the infected machines to ensure they are completely clean.

I recently won a deal to provide a managed VPN solution for an existing customer. They have 8 branches around the country and these needed to be linked to the head offices based in Kent and Frankfurt.

The branches are spread all over the country, as far north as Glasgow and as far West as Swansea. Due to the distances involved it was not really feasible for me to install this system without assistance from a 3rd party.

Originally I had sub-contracted the entire job to an ISP who were very keen to take the deal on and seemed to know what they were doing. After a short while it was clear that they were not fit for the job and I had to pull their equipment out and cancel the order.

As a lot of time had been wasted dealing with the ISP, I really needed to get the system in place quickly and I needed to know that they guys who were going to be installing it knew what they were doing.

So, a quick post to the UKSBSG Yahoo group and within a couple of hours I had made contact with guys from all over the country who were keen to help me out and instantly understood what needed to be done. What a powerful resource!

All the appropriate hardware was ordered and dispatched to each depot. Because nearly all of the guys that had got in touch were very local they were able to drop in and do the work quickly. Within a couple of weeks of my initial post to the UKSBSG group the entire job was complete.

Not only was it complete but the whole thing went in without a hitch, all of the consultants that visited the branches were given high praise by the customer and they clearly all know their stuff.

The result is that by leveraging the SBSC community, a small company like mine can have the flexibility and responsiveness of a much larger firm and at a lower cost to the customer - everyone wins!

So I’d like to say a big thank you to everyone involved that helped me out:

Tim Long from Tigra Networks
Andy Parkes from IBIT Solutions
Mike Gelder from Redleg
Mike Tudor from No Nonsense IT
Billy from Agila Solutions
Dave from Manchester Computing

And also an honourable mention to suppliers Tekdata and Westcoast for providing consistently good service.

I am looking forward my next partnering opportunity, If any SBS’ers are reading that specialise in VOIP systems please get in touch

Today a customer started to get a lot of their e-mails bounced. In fact they could not even e-mail me to let me know about the problem as my own mail servers were rejecting their messages.

The reason for this was because their IP address had been listed on the CBL.

I had a poke around the server and everything seemed to be in good order; patched up to date, virus scanner had nothing interesting to report, netstat did not show any abnormal connections and Exchange queues seemed normal. So I assumed that the problem must be coming from one of the network PCs.

This customer has a dual nic SBS 2003 Standard edition server, not my preferred set-up, but the system had to be implemented in this way to fit in with existing infrastructure. It is not possible to see what traffic is passing through the NAT gateway on RRAS with the built in tools, but Microsoft Netmon 3.1 should be able to show up any strange network traffic. I installed it and ran the following filter:

Tcp.dstport == 25 and ipv4.Address != 192.168.200.1

192.168.200.1 is the IP address of the internet facing NIC on the SBS machine.

Within a couple of minutes this filter showed all the machines on the network sending SMTP based traffic except for the SBS server itself. Fortunately there was only one. I took remote control of the machine and from the command line ran:

netstat -ano |find “:25″

The output of this command showed me the local processes which were attempting to communicate with other hosts on port 25 and gave me confirmation that this PC was definitely infected with some kind of mass mailing virus or worm. Killing the process listed by the netstat command stopped the mass mailer and gave some breathing space to find the cause of the problem.

Turns out the machine in question had its virus checker disabled. So I turned it back on and ran a full scan which turned up almost 6,000 files infected with W32/MyDoom.

Once the problem had been found it was easy to sort, but because I have so few customers with this set-up it had not occurred to me how little visibility you get over network traffic with the SBS 2003 standard edition tools.

The joys of travelling sales laptops

This is just a very quick script written in response to a question posted in one of the SBS yahoo groups.

It sends an e-mail to a specified recipient reminding them to change the backup tape in a server. The SBS backup system does this automatically, so this is meant for use on SBS servers using something other than the in-built SBS backup.

Installation is simply a case of extracting the contents of this zip file to a folder on your SBS server and then changing the variables at the top of the script to appropriate values for your environment.

Once done you can test interactively from a command line by running “cscript tapereminder.vbs” and once you are happy with the results setup a scheduled task to do the job daily.

As the number of servers that I am responsible for managing increases, it becomes more difficult to ensure that they are all patched up to date.

As most of the machines I manage are SBS boxes I thought that it would be nice to put something together which behaves in much the same way as the SBS generated e-mail alerts.

So, the result is a script which sends e-mail notifications to a specified address and gives details of which patches are available to be installed.  The administrator can choose which of the four patch levels will trigger an e-mail alert (Critical, Important, Moderate & Low).

If there are no outstanding patches at the appropriate alert levels to be installed then the script will quit without sending an e-mail.

The script is then run as a scheduled task every evening and I can quickly see if I have anything to action.  The report includes links to the relevant KB articles and further information made available by Microsoft.

The script only takes a couple of minutes to setup as there are only six settings at the top of the file…

Setting any of the following to 1 will generate trigger alerts for that particular update severity:

• AlertCritical
• AlertImportant
• AlertModerate 
• AlertLow
  
• EmailFrom - Specifies the e-mail address the report will be sent from.
• EmailTo - Specifies the e-mail address to send the reports to.

As shown above I have been running with AlertCritical/AlertImportant set to 1 and the other two set to 0. 

So, if you want to receive email alerts all you need to do is download this Zip file, extract the contents to a folder on your server and then edit the variables at the top of the script.  To perform a test run go into a command prompt and change directory to the location where you extracted the script and run:

cscript winupdates.vbs

With any luck you should get an e-mail soon after with the results.  If you find that it is not generating you an e-mail as expected, one reason may be that there are no patches available to install.  Bear in mind that not all items from Windows update will appear.  For example “Internet Explorer 7″ is not a patch and therefore will not be listed.

Running the script interactively as above will take a few moments while Windows Update(or WSUS if you have it installed) are checked for new updates. 

Once you have completed a successful test you can go ahead and setup a scheduled task.  Assuming an installation directory of “c:\scripts” the scheduled task command should look something like this:

C:\WINDOWS\system32\cscript.exe c:\scripts\winupdates.vbs

Also worth a mention that I have used this on standard(non-sbs) Windows servers and it works well.

Perhaps if enough people use this script, it will actually save as much time as it took to make it, but I doubt it.

A customer going through a large infrastructure migration had a requirement to update the connection string/data source of several thousand Excel workbooks. Not only did these workbooks contain many worksheets, but also database driven pivot tables. They asked me if I could put something together which could do this for them.

After some invesitgation it seemed that many people have had this problem in the past, but nobody had a solid solution, especially one easy enough for end users to work with.

It turns out that the connection string is embedded into the document and this Microsoft KB atricle had some example code on how to update this information in a pivot table within Excel 2003.

As it would not be practical to use to code in the KB article on so many documents, I used the example as a starting point to create a tool which could update many documents as a batch process(but equally could be used on a single document).

This utility will search a filesytem for .xls(Excel 97-2003 format) files starting at a specifed folder and either show or replace the entire connection string or, a substring of the existing connection string.

The idea behind the two replacement modes is that sometimes only one detail might have changed, such as authentication information, or the IP Address/hostname of a database server. In other instances your environment might have changed significantly enough that you need to replace the whole thing.

when you execute the utility it will output various bits of information about the documents and the data connections that they contain, whether or not updates have been applied or skipped.

If you leave the “Connection string to replace” field empty it will run in display only mode. In this mode the connection strings found will be displayed and no changes will be applied. The output can be used as a basis for your real replacement run.

I have not personally tested or used this tool extensivly, but it has been used in production by my customer to change several thousand documents without issue. My advice would be to copy several documents into a folder to get the hang of how it works before running it for real.

Because my customer paid me to develop this tool it would be somewhat unfair of me to give it away exactly as they received it. I have therefore limited the number of documents which can be changed in one go to 100. This is particilary useful for users of Excel 2003(and prior) as there is no interface for changing the connection string at all.

Here is the download link.

Update: I spent far longer than it is worth trying to get this app to work within Vista with UAC enabled, but I just don’t know enough about how visual basic and user account control work together. If anyone out there does know how and would like to help me, please get in touch!

The ISMTPOnArrival_OnArrival event sink in Exchange 2003 can be used to trigger code to perform various tasks. I have recently used this method to strip attachments from messages and then FTP them to a remote machine, based on the message subject and recipient.

In this, more basic example the entire message is saved to the filesystem in .eml format to a folder specified within a variable. The script could be made much more elaborate with the addition of a couple of arrays to specify multiple subjects/locations. The idea is that you could setup a system where e-mails can be automatically filed without having to depend on user intevention and avoiding the requirement for 3rd party software.

This can be implemented by following the example from this Microsoft Knowlegbase article. The file referred to in the article called SMTPREG.VBS can be found here on MSDN. Instead of the SMTPMsgCheck.vbs file referenced in the article create a file called SMTPSubjectCheck.vbs and insert the following code(you will also need to modify the registration batch file accordingly) :

<SCRIPT LANGUAGE="VBScript">
Sub IEventIsCacheable_IsCacheable()
	'To implement the interface, and return S_OK implicitly
End Sub

Sub ISMTPOnArrival_OnArrival(ByVal Msg, EventStatus )
	Dim Pos, SubjectToFind, SaveFolder, MsgStream

	SubjectToFind="Project1"
	SaveFolder="c:\"

	Pos=InStr(1,Msg.Subject,SubjectToFind,1)

	if Pos <> 0 then
		set MSGStream= Msg.Getstream
		SaveFile=SaveFolder & Msg.Senton & "-" & msg.subject & ".eml"
		SaveFile=Replace(SaveFile, "/", "_")
		SaveFile=Replace(SaveFile, " ", "_")
		SaveFile=Replace(SaveFile, ":", "_",3)
		MsgStream.SaveToFile savefile,2
		MsgStream.Close
		Set MsgStream = Nothing
	End if
End Sub
</SCRIPT>

In this example the script is looking for a subject line that contains the text “project1″(not case sensitive) and saving it to the root of c:

I have attached a zip file to the blog post with all the required files in one zip file, just be cautious of using it if you already have event sinks registered(drop the files into c:\eventsink).
subjectcheck.zip

I regularly use SSH to connect to customer systems and tunnel various different sorts of traffic through it (Telnet, ODBC, RDP etc). In certain cases, I have no other method of remote access to systems other than SSH.

This has not been a problem until I recently upgraded to Windows Vista which includes remote desktop connection v6, which will not allow connections to 127.0.0.1 on any port, it complains with the error message:

“The client could not connect. You are already connected to the console of this computer. A new console session cannot be established”

Which of course is true, if I were trying to connect to 3389.

So today after spending significant effort in the last couple of months I have found a simple solution to the problem:

I realize there probably are not that many people out there using SSH to tunnel RDP, but if you are then RDP 6 has been a real pain until now.

I have recently knocked together an application for auditing computers on customer SBS networks. It uses WMI to query machines in the active directory for various bits of information and then inserts them into a sharepoint list. There are two components to the utility; a WSS site template and an executable to be run on the SBS server itself.

The information can be manipulated via Windows sharepoint services(companyweb) to highlight certain groups of computers. An example might be “machines with low disk space” or “Windows XP without SP2″.

Other lists can then be linked in the normal way, a task list linked to the computer list is included in the template. I also use lists to store information about printers/routers and store a safe copy of firmware files etc.

I showed the tool recently at my local SBSC group and several of the members thought it might be useful, so I have done a little more work on it and released it here.

Installation is pretty simple and really only requires the following steps:

I recommend that you name the subsite “sbsnet”, but you can call it whatever you like.

If you want to see a video of how to install/run the tool then go here. Might take a while to load up fully, but shows the audit being installed and run inside a virtual server.

If you have ISA server installed you will also need to follow the “server” instructions here in order for it to work.

You can download it from:

http://www.accendo.co.uk/blog/files/SBSNetworkAudit.zip

There is the potential to extend the tool to capture any information available via WMI(which is a huge amount), at the moment its just basic hardware and OS information.

If you find this useful , then please do make a donation to my charity cycle ride. Every £1 makes a difference!